On 02/05/14 11:15 -0600, Peter Erickson wrote: >> >virtdomains: userid >> >defaultdomain: example.com >> >> Other than that, your config looks reasonable. Include an 'ldapdb_mech' >> option to reduce confusion. sasl_ldapdb_canon_attr may need to be 'uid' >> instead, since example.com is the default domain. This command should >> succeed, and return the DN of the test user if your config is good: > >Just to make sure that I'm understanding the options right, is there a >good explanation for what sasl_ldapdb_canon_attr does? I'm not quite >sure that I understand its purpose. sasl_ldapdb_canon_attr will be the resolved identity that sasl hands back to cyrus. The identity will be used to find the user's INBOX. Having a default domain complicates things a bit (and you may have to experiment. I don't define a default domain). Basically, the sasl_ldapdb_canon_attr should equal the user portion of their INBOX name. It's handy in scenarios where the authentication identity differs from the mailbox name (name change, for instance). >Based on the following, its possible that my problem isn't with cyrus >imapd/sasl, but a misunderstanding of the ldap proxy authorization >process and I need to recheck my ldap config. I'm more accustomed to >using ldap filters and a base instead of the proxy authorization. > ># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser -Z >SASL/DIGEST-MD5 authentication started >SASL username: u:tuser >SASL SSF: 128 >SASL data security layer installed. >dn:cn=test user,o=hosted_domain,ou=hosting,dc=example.com This looks good. ># ldapwhoami -Y digest-md5 -U imapd-user -w password -X u:tuser@xxxxxxxxxxx -Z >SASL/DIGEST-MD5 authentication started >ldap_sasl_interactive_bind_s: Insufficient access (50) > additional info: SASL(-14): authorization failure: not authorized You may need a different or better authz-regexp rule here, or you may need to adjust your authzto/authzfrom rules. See: http://www.openldap.org/doc/admin24/sasl.html#SASL Proxy Authorization -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
